avoid using domain admin account installing programs

From: Laurence Field (laurence_field_at_yahoo.com)
Date: 05/26/05

  • Next message: Gonzalo Martinez: "Re: help , scripting for security" 
    Date: 26 May 2005 06:01:25 -0000
To: security-basics@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    Hi list

    I am observing a project that requires installing a HDD encryption software on 1000's of laptops. A team is currently researching various installation methods, and the easiest has been to give test users a user name and password (installer account) with instructions to log into the domain using this account. The acount has a log in script & very limited desktop & applications settings etc. ie. you can log on but run no programs, and do nothing on the desktop. This is for XP, 2000 & NT40 clients, that will run a few required operations ie. scandisk etc., copy the setup file on local PCs, then run the setup program. After the setup is finished, the PC automatically reboots and the HDD software is then installed and complete. The problem is the account they propose to use to install this program is a domain admin account. An obvious risk is although users cannot do anything if they login to this account (except install the HDD software) savvy users can use this account to do an
     ything they want ie. net use etc.

    Does anybody have a better way to copy programs on a PC (NT40, XP), then run the program as a domain admin, without the user needing to know the domain admin account name & password? Group policy I am told in not an option as we have NT40 laptops.

    I am sure there are better way to securely install this software. Any tips, pointers, URLs would be appreciative.

    Thank you

    LF

  • Next message: Gonzalo Martinez: "Re: help , scripting for security"